# Awesome AWS Security [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)

A common curated list of links, references, books videos, tutorials (Free or
Paid), Exploit, CTFs, Hacking Practices etc. which are obviously related to AWS Security.
_List inspired by the [awesome](https://github.com/sindresorhus/awesome) list thing._

## Books
1. Hands-On AWS Penetration Testing with Kali Linux by PackT
2. Mastering AWS Security by PackT
3. Security Best Practices on AWS by PackT
4. Cloud Security Automation
5. AWS Automation Cookbook

## AWS Whitepapers
1. [AWS Security Best Practices](http://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf)
2. [AWS Security Pillar](https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf)
3. [AWS Overview of Security Processes](https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf)
4. [NIST Cybersecurity Framework](https://d0.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf)
5. [AWS Risk And Compliance](https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf)
6. [AWS Auditing Security Checklist](https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf)
7. [AWS HIPAA Compliance Whitepaper](https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf)

## Videos
1. [AWS Security by Design](https://www.youtube.com/watch?v=I1SwoKxB13c) - Youtube
2. [Account Security with IAM](https://www.youtube.com/watch?v=9CKsX6MOPDQ) - Youtube
3. [AWS re:Inforce 2019 Security Best Practices](https://www.youtube.com/watch?v=u6BCVkXkPnM) - Youtube
4. [AWS Cloud Security Playlist](https://www.youtube.com/watch?v=N4DdqAkeqD4&list=PLxzKY3wu0_FL4VDfuCohtikXTQNTvKQVX) - Youtube
5. [A cloud security architecture workshop by RSA](https://www.youtube.com/watch?v=4TxvqZFMaoA) - Youtube

## Online Tutorials/Blogs/Presentations
1. [AWS Security official blog](https://aws.amazon.com/blogs/security/)
2. [AWS in Plain English](https://expeditedsecurity.com/aws-in-plain-english/)
3. [Why the CIA trusts AWS](https://mediatemple.net/blog/tips/aws-building-blocks/)
4. [Fundamentals of AWS Security](https://www.slideshare.net/AmazonWebServices/fundamentals-of-aws-security) - Presentation from AWS
5. [Introduction to AWS Security](https://www.slideshare.net/AmazonWebServices/introduction-to-aws-security-131234529) - Presentation from AWS
6. [AWS Security primer](https://cloudonaut.io/aws-security-primer/) - Nice overview and quick run through AWS Security resources.

## Online Courses (Paid/Free)
1. [AWS Fundamentals: Address Security Risks](https://www.coursera.org/learn/aws-fundamentals-addressing-security-risk) - Coursera
2. [Cloud Computing Security](https://www.coursera.org/learn/cloud-computing-security) - Coursera
3. [AWS: Getting started with Cloud Security](https://www.edx.org/course/aws-getting-started-with-cloud-security) - EdX
4. [AWS Certified Security Specialty](https://www.udemy.com/course/aws-certified-security-specialty/) - Udemy by Zeal Vora
5. [AWS Certified Security Specialty](https://acloud.guru/learn/aws-certified-security-specialty) - From Acloud.guru
6. [AWS Advanced Security](https://www.udemy.com/course/aws-advanced-security/) - Udemy
7. [AWS for Architects: Advanced Security](https://www.linkedin.com/learning/aws-for-architects-advanced-security/) - Linkedin Learn by Lynn Langit
8. [Practical Event Driven Security with AWS](https://acloud.guru/learn/practical-event-driven-security-with-aws) - Acloud.guru
9. [Learning Path for AWS Security](https://learn.acloud.guru/learning-path/aws-security) - Nicely designed the learning path who wants to be an AWS Security Experts from Acloud.guru
10. [Cloud Hacking course](https://www.notsosecure.com/hacking-training/cloud-hacking/) - From NotSoSercure

## Tools of Trade
1. [AWS Security Products](https://aws.amazon.com/products/security/)
2. [Arsenal of AWS Security Tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools) - Collection of all security category tools and products
3. [AWS Security Automation](https://github.com/awslabs/aws-security-automation) - Collection of scripts and resources for DevSecOps and Automated Incident Response Security
4. [Security Monkey](https://github.com/Netflix/security_monkey) - Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
5. [truffleHog](https://github.com/dxa4481/truffleHog) - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
6. [gitleaks](https://github.com/zricethezav/gitleaks) - Audit git repos for secrets
7. [AWS Security Benchmark](https://github.com/awslabs/aws-security-benchmark) - Open source demos, concept and guidance related to the AWS CIS Foundation framework.
8. [S3 Inspector](https://github.com/kromtech/s3-inspector) - Tool to check AWS S3 bucket permissions
9. [ScoutSuite](https://github.com/nccgroup/ScoutSuite) - Multi-Cloud Security Auditing Tool
10. [Prowler](https://github.com/toniblyx/prowler) - AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
11. [AWS Vault](https://github.com/99designs/aws-vault) - A vault for securely storing and accessing AWS credentials in development environments
12. [AWS PWN](https://github.com/dagrz/aws_pwn) - A collection of AWS penetration testing junk
13. [Pacu](https://github.com/RhinoSecurityLabs/pacu) - AWS Penetration Testing Toolkits
14. [Zeus](https://github.com/DenizParlak/Zeus) - AWS Auditing and Hardening tool
15. [Cloud Mapper](https://github.com/duo-labs/cloudmapper) - Analyze your AWS environments (Python)

## Security Practice and CTFs
1. [AWS Well Architected Security Labs](https://wellarchitectedlabs.com/Security/README.html)
2. [Flaws to learn common mistakes in AWS through challenge](http://flaws.cloud/)
3. [Flaws2 focuses on AWS security concepts through various challenge levels](http://flaws2.cloud/)
4. [CloudGoat](https://github.com/RhinoSecurityLabs/cloudgoat) - Vulnerable by Design AWS infrastructure setup tool
5. [OWASP ServerlessGoat](https://github.com/OWASP/Serverless-Goat) - OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application maintained by OWASP for educational purposes.

## AWS Security Breaches
1. [AWS Security breaches - 2017](https://www.sumologic.com/blog/aws-security-breaches-2017/)
2. [200 million voters data leak](https://www.skyhighnetworks.com/cloud-security-blog/latest-voter-data-leak-is-a-lesson-in-aws-security/) - A lesson in AWS Security
3. [Imperva blames data breach on Stolen AWS API keys](https://www.zdnet.com/article/imperva-blames-data-breach-on-stolen-aws-api-key/)
4. [Tesla's Amazon cloud account was hacked and used to mine cryptocurrency](https://www.businessinsider.in/finance/teslas-amazon-cloud-account-was-hacked-and-used-to-mine-cryptocurrency/articleshow/63003345.cms)
5. [10 worst Amazon S3 breaches](https://businessinsights.bitdefender.com/worst-amazon-breaches)
6. [Lion Air the Latest to Get Tripped Up by Misconfigured AWS S3](https://www.darkreading.com/attacks-breaches/lion-air-the-latest-to-get-tripped-up-by-misconfigured-aws-s3-/d/d-id/1335864)

## Contributors
[Please refer the guidelines at contribute.md for details](Contribute.md).

Thanks to the following folks who made contributions to this project.

**Get your name listed here**

[List of Contributors](https://github.com/jassics/awesome-aws-security/graphs/contributors)